feat(copilot): add share_file tool + surface file share state to the agent#5656
feat(copilot): add share_file tool + surface file share state to the agent#5656TheodoreSpeaks wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Policy fix (API + tool): When re-enabling a share without passing Agent visibility: Workspace VFS file Reviewed by Cursor Bugbot for commit 9e1e71a. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
@greptile review |
Greptile SummaryThis PR adds file sharing support for the Copilot agent. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (5): Last reviewed commit: "feat(copilot): add share_file tool handl..." | Re-trigger Greptile |
|
472a037 to
1673192
Compare
|
@greptile review Addressed the auth-type validation finding: |
| const shareByFileId = await getSharesForResources( | ||
| 'file', | ||
| files.map((file) => file.id) | ||
| ) |
There was a problem hiding this comment.
When getSharesForResources throws during a transient DB failure, this await is caught by the method-level catch, which returns an empty file list. The agent then sees no workspace files even though listWorkspaceFiles already succeeded. Since this share state is only metadata enrichment, the lookup should fall back to an empty share map so file metadata still materializes with shared: false.
1673192 to
1d76a7e
Compare
|
@greptile review Addressed both findings:
|
…te to the agent Implement the sim-side share_file server tool (resolves VFS path to file, keeps the existing org-policy + permission + audit checks, delegates to upsertFileShare). Register it in the tool router and generated catalog. Stamp an ambient 'shared'/'shareAuthType' flag onto file metadata via one batched share lookup, mirroring how workflows expose 'isDeployed'. Validate the EFFECTIVE auth type when re-enabling a share: upsertFileShare preserves an existing share's authType when none is passed, so validate the stored mode (not 'public') or a re-share could reactivate a now-disallowed password/email/sso share. Same fix applied to the share PUT route.
1d76a7e to
9e1e71a
Compare
|
@greptile review Added |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9e1e71a. Configure here.
| authType, | ||
| password, | ||
| allowedEmails, | ||
| }) |
There was a problem hiding this comment.
Unshare clears stored auth type
High Severity
share_file still forwards authType into upsertFileShare on unshare, even though the catalog says it is ignored. upsertFileShare always persists authType, so an unshare that includes the schema default public overwrites a stored password/email/sso mode. A later bare re-enable then restores a public link instead of the prior protection.
Reviewed by Cursor Bugbot for commit 9e1e71a. Configure here.


Summary
share_fileserver tool handler: resolves a VFSpathto the file, keeps the existing checks (org public-sharing policy, write/admin permission,ShareValidationError, and theFILE_SHARED/FILE_SHARE_DISABLEDaudit), then delegates to the sharedupsertFileShare— same path the files UI usesshared/shareAuthTypeflag on each file's metadata via one batched share lookup (no N+1), so the agent can see andgrepwhat's shared — mirrors how workflows exposeisDeployedPairs with
mship-tools:checkregenerates the catalog from the copilot repo'stool-catalog-v1.json, so this PR's check stays red until fix(deps): bump the dependencies group in /apps/sim with 4 updates #353 lands.Type of Change
Testing
tsc --noEmit0 errors;bun run lint:checkandcheck:api-validation:strictpass; biome cleanChecklist
Companion: simstudioai/mothership#353